-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 19/08/14 16:17, Thierry Carrez wrote:
Gary Kotton wrote:
On 8/19/14, 2:48 PM, "Ihar Hrachyshka" <ihrachys@redhat.com> wrote:
And if they haven't encountered the issue yet, and don't know that default value is failing hard, then we leave our users with DoS unfixed, waiting for their users to break the cloud and then debug the issue, finally discovering that we have defaults that are broken and not even documented as such anywhere.
Where is a DOS attack here? Is this a few extra RPC messages being sent?
If this is a security issue, different rules apply. the first of which is that the Vulnerability Management Team should handle that bug, assess the vulnerability, coordinate the backports and ask for relevant exceptions.
You can't just sneak security fixes in without proper announcements (and then use the "security" card to justify exceptions).
I added the security flag to that bug so that it gets assessed and handled through the regular channels.
Fair enough, and thanks! I'm new to the whole process, so I may fail to follow proper procedures sometimes... :) /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJT810SAAoJEC5aWaUY1u57CS0H/08F+vsjKz85GLRMfLXHFkyp YMyVZr/jgn8g+17PQtT1hHeQYwjIHO9WJyLOD0diui6p+83PaGmvuMUcMsO8bXTZ TKPcOdfDbMmP9+Amm973GtnOdVviVaLUqx1+xGE6Ze/pBHGB50jqWyDjGyOe7lNO B1oTGOWx+Zoyo15189xX0nSpQEvWMVpqGhxvh38gTrwYqJXy1SbNkXeU/CdGZlzB u2DLj+fr7QIggm8CGsZnrIVKmOzdeO17W2oKcsMcQ4QiZh0DCwV7sLmnwTPJeT4Z +G0BnoIJPXlOfZ2j+ce/ttZ0CPzjB37Mg3grYPNQafcIme0ndJC/THiMegVOFWQ= =LcJW -----END PGP SIGNATURE-----